Hello Lisa -
At 10:22 +0100 00/11/9, Lisa Goulet wrote:
>Hi Hugh,
>
>Thanks for your response. Here is my radmin.cfg file. The AuthSelect clause
>looks a little different from the original posting, I've been trying
>different things. Basically, I want the SQL query to fail when the CLI is in
>the blackist. If the CLI is not in the blacklist, I would like the query to
>return something so the "AuthBy SQL" passes. Is my thinking correct?
>
>I also notice in the proxy radiator logfile "Timed out, retransmitting"
>errors. I think this accounts for the spinning. I've included part of the
>log file.
I am a bit confused now - where is the proxy? And what logfile is
included in this mail? If there are two different machines running
two different copies of Radiator with two different configuration
files, I will need to see both configuration files and both logfiles.
However, see my comments below.
>Thanks,
>Lisa
>
># radmin.cfg
>#
>#
># Configuration for authentication of contents in the radmin tables.
>#
>
>
>Foreground
>LogDir .
>DbDir .
>
># Crank down the trace level to 3 after testing
>Trace 4
>
>
># Secrets between clients
><Client DEFAULT>
> Secret xxxxxx
></Client>
>
>
># Database for clients
><ClientListSQL>
> DBSource dbi:Pg:dbname=radmin;host=xxx.xxx.xxx.xxx
> DBUsername radmin
> DBAuth radmin
></ClientListSQL>
>
>
># Address allocation with pools
><AddressAllocator SQL>
> Identifier SQLAllocator
>
> DBSource dbi:Pg:dbname=radmin;host=xxx.xxx.xxx.xxx
> DBUsername radmin
> DBAuth radmin
> DefaultLeasePeriod 86400
>
> <AddressPool 207500370>
> Subnetmask 255.255.255.255
> DNSServer 62.58.62.132
> Range 213.35.224.1 213.35.224.100
> </AddressPool>
></AddressAllocator>
>
># RADMIN table description
><Realm DEFAULT>
>
> RejectHasReason
> AuthByPolicy ContinueWhileAccept
>
> <AuthBy RADMIN>
> # Change DBSource, DBUsername, DBAuth for your database
> # See the reference manual. You will also have to
> # change the one in <SessionDatabse SQL> below
> # so its the same
> Identifier CheckSQL
> DBSource dbi:Pg:dbname=radmin;host=62.58.62.130
> DBUsername radmin
> DBAuth radmin
>
> # You can add to or change these if you want, but you
> # will probably want to change the database schema first
> AccountingTable RADUSAGE
> AcctColumnDef USERNAME,User-Name
> AcctColumnDef TIME_STAMP,Timestamp,integer
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
> AcctColumnDef
>ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
> AcctColumnDef NASIDENTIFIER,NAS-Identifier
> AcctColumnDef NASIDENTIFIER,NAS-IP-Address
> AcctColumnDef NASPORT,NAS-Port,integer
> AcctColumnDef DNIS,Called-Station-Id
>
> # This updates the time and octets left
> # for this user
> AcctSQLStatement update RADUSERS set
>TIMELEFT=TIMELEFT-0%{Acct-Session-Time},
>OCTETSINLEFT=OCTETSINLEFT-0%{Acct-Input-Octets},
>OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} where USERNAME='%n'
>
> # These are the classic things to add to each users
> # reply to allow a PPP dialup session. It may be
> # different for your NAS. This will add some
> # reply items to everyone's reply
> AddToReply Framed-Protocol = PPP,\
> Framed-IP-Netmask = 255.255.255.255,\
> Framed-Routing = None,\
> Service-Type = Framed-User,\
> Ascend-Client-Primary-DNS = 62.58.62.132,\
> Framed-MTU = 1500
> </AuthBy>
>
> # check blacklist numbers
> <AuthBy SQL>
> DBSource dbi:Pg:dbname=radmin;host=62.58.62.130
> DBUsername radmin
> DBAuth radmin
> AuthSelect select LOGIN from BLACKLIST \
> where CLI <> '%{Calling-Station-Id}'
> </AuthBy>
>
> # Allocate addresses based on DNIS (Called-Station-ID)
> <AuthBy DYNADDRESS>
> Allocator SQLAllocator
> PoolHint %{Called-Station-Id}
> </AuthBy>
>
></Realm>
>
><SessionDatabase SQL>
> # This database spec usually should be exactly the same
> # as in <AuthBy RADMIN> above
> DBSource dbi:Pg:dbname=radmin;host=xxx.xxx.xxx.xxx
> DBUsername radmin
> DBAuth radmin
></SessionDatabase>
>
In any case, this configuration will not work for two reasons, first
the order of the AuthBy clauses and second the blacklist SQL clause.
You will need to do something like this:
# check blacklist numbers
<AuthBy SQL>
Identifier CheckBlackList
DBSource dbi:Pg:dbname=radmin;host=62.58.62.130
DBUsername radmin
DBAuth radmin
AuthSelect select LOGIN from BLACKLIST \
where CLI <> '%{Calling-Station-Id}'
AuthColumnDef 0, GENERIC, check
</AuthBy>
<AuthBy RADMIN>
Identifier CheckRADMIN
# Change DBSource, DBUsername, DBAuth for your database
# See the reference manual. You will also have to
# change the one in <SessionDatabse SQL> below
# so its the same
DBSource dbi:Pg:dbname=radmin;host=62.58.62.130
DBUsername radmin
DBAuth radmin
# You can add to or change these if you want, but you
# will probably want to change the database schema first
AccountingTable RADUSAGE
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef
ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASIDENTIFIER,NAS-IP-Address
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef DNIS,Called-Station-Id
# This updates the time and octets left
# for this user
AcctSQLStatement update RADUSERS set \
TIMELEFT=TIMELEFT-0%{Acct-Session-Time}, \
OCTETSINLEFT=OCTETSINLEFT-0%{Acct-Input-Octets}, \
OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} where \
USERNAME='%n'
# These are the classic things to add to each users
# reply to allow a PPP dialup session. It may be
# different for your NAS. This will add some
# reply items to everyone's reply
AddToReply Framed-Protocol = PPP,\
Framed-IP-Netmask = 255.255.255.255,\
Framed-Routing = None,\
Service-Type = Framed-User,\
Ascend-Client-Primary-DNS = 62.58.62.132,\
Framed-MTU = 1500
</AuthBy>
# Allocate addresses based on DNIS (Called-Station-ID)
<AuthBy DYNADDRESS>
Identifier AllocateIPAddress
Allocator SQLAllocator
PoolHint %{Called-Station-Id}
</AuthBy>
<Realm DEFAULT>
RejectHasReason
AuthByPolicy ContinueWhileAccept
AuthBy CheckBlackList
AuthBy CheckRADMIN
AuthBy AllocateIPAddress
</Realm>
The contents of the LOGIN column in your BLACKLIST table should contain this:
cli | login
---------+-------------------
9999999 | Auth-Type = Reject
DEFAULT | Auth-Type = Accept
-----------------------------
The order of the AuthBy clauses is important because you must check
the username and password *after* the blacklist, otherwise the
blacklist DEFAULT will accept everything except the blacklist
numbers, which is not what you want.
hth
Hugh
--
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
